What will happen to the existing certificates if the LetsEncrypt account is deactivated?

We have a LetsEncrypt account with adjusted rate limits and being used by several teams within our organization.
We wanted to re-new the account key and therefore we have created a new LetsEncrypt account with adjusted rate limits and now want to deactivate the existing old LetsEncrypt account. But we still have valid certificates that were requested by this old account. Are those certificates going to be valid until the expiry? or do I need to request them again using the new account?


1 Like

Sort answer: YES
Certs will live until they expire.
You should make sure your "new" configuration is ready to replace them before they're done though.
Hope this helps.


"Life is like a box of chocolates."

And in this case, the chocolates can be similar, or different, within multiple boxes and can also be had separately.

[Yes "had", since "purchased separately" would imply that you had to pay for the free chocolates]


While I don't know as there's anything "wrong" about creating and using a whole new account, people should be aware that you don't need a new account just to change your account key. There's a keyChange endpoint that lets you rotate your account key without changing anything else about the account. Support for it amongst ACME clients is pretty rare, though.


Maybe another opportunity for a tool. :thinking:


Posh-ACME supports key rollover and the ability to import/export an account key from/to a standard PEM private key. So theoretically the tool could just be Posh-ACME if your normal client also has a way to import/export the private key. :smiley:

The key rollover functionality will also optionally accept an externally generated key rather than generating the new key itself. Bonus! Boulder gets mad if you try to rollover using a key already associated with another account though. Heh.


The primary challenge here, as with the email-updating tool mentioned elsewhere, is the extraction of the account private key and account url from various "underfunctioning" clients. Arguably in many cases it might be easier to just switch to a "fully functioning" client and create a new ACME account. These "supplemental" tools are primarily intended to externally augment the functionality of existing clients. Obviously, creating the account with this tool then importing it into the target client would possibly be more reliable. That's a rather anachronistic hope though. :confused:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.